GHSL-2021-012: Command injection in alan-turing-institute/binderhub-deploy workflow

Coordinated Disclosure Timeline

• 2021-01-18: Report sent to maintainers.
• 2021-01-19: Issue resolved.

Summary

GitHub workflow in alan-turing-institute/binderhub-deploy GitHub repository repository is vulnerable to arbitrary code execution from user comments.

Product

alan-turing-institute/binderhub-deploy GitHub repository repository

Tested Version

The latest changeset auto-version-bump.yml to the date.

Details

Issue: A comment body is used to format a shell command

on:
  issue_comment:
    types: ["created"]

jobs:
  bump-version:
    if: (
          (github.event.issue.pull_request != null) &&
          contains(github.event.comment.body, '/bump-version')
        )
...
      - name: Pull version from comment body
        run: |
          NEW_VERSION=$(echo ${{ github.event.comment.body }} | grep '/bump-version' | cut -d" " -f2)

Impact

This vulnerability allows for arbitrary command injection into the bash script which allows for unauthorized modification of the base repository and secrets exfiltration. For a proof a concept create comment on an issue with /bump-version); echo "test"; #.

Credit

This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-012 in any communication regarding this issue.